Authentication

RejectDMARC Policy (p=reject)

Definition

Reject is the strictest DMARC policy, set with p=reject, that tells receiving servers to block mail failing authentication, ideally during the SMTP transaction with a 550 error, before it can reach the inbox or spam folder. It is the only policy that actually stops exact-domain spoofing, and it is the intended end state after ramping through p=none and p=quarantine.

Failing mail is refused outright, not foldered. The recipient never sees it
It is the only DMARC policy that fully stops exact-domain spoofing
Reach it last, after p=none and p=quarantine reports are clean
Every legitimate sender must authenticate and align before you enforce it

At a glance

Policy tag p=reject

Effect Failing mail blocked

Where it acts SMTP layer (550 reply)

Stops spoofing Yes, exact-domain

Defined in RFC 7489

Reach it after none then quarantine

What reject does

A message fails DMARC when neither SPF nor DKIM passes and aligns with the visible From: domain. Under p=reject, the receiver refuses that message rather than filing it. RFC 7489 recommends doing this during the SMTP transaction, so the receiving server returns a 550 rejection and the sending server gets an immediate bounce. The message is never accepted, so it lands in neither the inbox nor the spam folder.

This is the crucial difference from quarantine. Quarantine still delivers a forged message to the spam folder, where a careless recipient can open it. Reject means the forgery never arrives at all. That is why p=reject is the only policy that genuinely shuts down exact-domain spoofing of your From: address.

Anatomy of a reject record

A reject record is the same single TXT record at _dmarc.yourdomain.com, with the policy turned up to its strictest setting. A robust enforcing record covers subdomains too and keeps reporting switched on:

A full enforcement record: reject on the domain and subdomains, strict alignment, reports on

v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; pct=100; rua=mailto:dmarc@example.com; fo=1

p=reject: block failing mail for the main domain.
sp=reject: apply the same policy to subdomains, closing a common spoofing gap.
adkim=s / aspf=s: demand strict alignment so a near-match cannot slip through.
pct=100: enforce on all failing mail (the default; lower it only to ramp).
rua=mailto:…: keep aggregate reports flowing even at reject, so you spot new sources.

How to reach reject safely

Publishing p=reject before your reports are clean is the fastest way to block your own invoices, password resets, and newsletters. The safe route is a staged rollout:

Start at p=none. Collect aggregate reports and inventory every service that sends as you, including shadow IT and old vendors.
Fix authentication. Make sure each legitimate source passes SPF or DKIM and aligns with your From: domain.
Move to p=quarantine. Apply consequences with a safety net, optionally ramping with pct=, and watch for anything unexpectedly foldered.
Then enforce p=reject. Once a full cycle of reports shows only authorised, aligned senders, turn it up to reject and keep reading reports.

Why reject matters for reputation and brand

Reject protects the asset your whole sender reputation is built on: your domain. Exact-domain spoofing is one of the fastest ways to torch a previously good reputation, and a published reject policy makes it dramatically harder for attackers to send phishing in your name. Since February 2024, Gmail and Yahoo require bulk senders to publish at least p=none; reject is the level that turns that baseline into real protection.

Reject is also the gold-standard prerequisite for inbox branding. To display your logo through BIMI with a VMC, you need an enforced DMARC policy, and while quarantine technically qualifies, reject is the recommendation. You can confirm your record and policy at any time with the DMARC checker.

How reject handles a failing message

A message arrives claiming to be from your domain

The receiver checks SPF and DKIM alignment against From:

SPF aligned? DKIM aligned?

If either passes and aligns, the message passes DMARC and is delivered

If both fail, your p=reject policy applies

The receiver refuses it at SMTP with a 550, so it never arrives

Reject vs quarantine vs none

	reject	quarantine	none
Action on failure	Block outright	Treat as suspicious	None, monitor only
Where it acts	SMTP, before inbox	After accepting	No action
Recipient sees it?	Never	In spam	In inbox
Stops spoofing?	Yes	Partly	No
When to use	Reports are clean	Middle step	First step

By the numbers

550

The SMTP rejection code a receiver returns when a message fails a p=reject DMARC policy.

Stages on the path to reject: none, then quarantine, then reject.

Feb 2024

When Gmail and Yahoo began requiring bulk senders to publish a DMARC record, with reject the strongest level.

Common mistakes

Going straight to p=reject

Enforcing before your aggregate reports are clean blocks your own legitimate mail, newsletters, CRMs, and invoicing tools, the moment it fails alignment. Ramp through none and quarantine first.

Rejecting the domain but not subdomains

A bare p=reject leaves subdomains exposed unless you also set sp=reject. Attackers happily spoof billing.yourdomain.com if the subdomain policy is weaker.

Turning off reporting at reject

Dropping rua once you reach reject leaves you blind to new senders and misconfigurations. Keep aggregate reports flowing so a newly added service does not get silently blocked.

Forgetting that quarantine still delivers

Teams sometimes assume quarantine is enough. It only sends forgeries to spam; a careless recipient can still open them. Only reject refuses the message so it never arrives.

Frequently asked questions

What is the difference between quarantine and reject?

Quarantine still accepts a failing message and files it in the spam folder, where a recipient can find it. Reject refuses the message outright, usually at the SMTP layer with a 550, so it never reaches the account at all. Reject is the only policy that fully stops exact-domain spoofing.

Will p=reject block my legitimate email?

Only if a legitimate source is not authenticating and aligning. That is exactly why you ramp through p=none and p=quarantine first: read your aggregate reports, confirm every real sender passes SPF or DKIM with alignment, then enforce reject. Done in that order, only forgeries get blocked.

Is p=reject required?

Not strictly. Since February 2024 Gmail and Yahoo require bulk senders to publish at least p=none, not reject. But reject is the recommended end state because it is the only policy that actually prevents spoofing, and it is the gold-standard prerequisite for BIMI logo display with a VMC.

What SMTP response does a rejected message get?

RFC 7489 recommends rejecting during the SMTP transaction, so the sending server typically receives a 550 permanent failure. The message is never accepted, which is why it appears in neither the inbox nor the spam folder.

Sources & further reading

RFC 7489 · DMARC, including the reject policy disposition Google Email Sender Guidelines · Bulk-sender DMARC requirements (Gmail) Yahoo Sender Best Practices · Authentication and bulk-sending requirements

Reviewed by Jennifer Jackson, Email Deliverability Analyst · June 2026 ← Back to glossary